TrickBot Malware Gets UEFI/BIOS Bootkit Feature to Remain Undetected
TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system. The new functionality, dubbed "TrickBoot" by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known
TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system.
The new functionality, dubbed "TrickBoot" by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to inject malicious code in the UEFI/BIOS firmware of a device, granting the attackers an effective mechanism of persistent malware storage.
"This marks a significant step in the evolution of TrickBot as UEFI level implants are the deepest, most powerful, and stealthy form of bootkits," the researchers said.
"By adding the ability to canvas victim devices for specific UEFI/BIOS firmware vulnerabilities, TrickBot actors are able to target specific victims with firmware-level persistence that survives re-imaging or even device bricking capability."
UEFI is a firmware interface and a replacement for BIOS that improves security, ensuring that no malware has tampered with the boot process. Because UEFI facilitates the loading of the operating system itself, such infections are resistant to OS reinstallation or replacement of the hard drive.
TrickBot emerged in 2016 as a banking trojan but has since evolved into a multi-purpose malware-as-a-service (MaaS) that infects systems with other malicious payloads designed to steal credentials, email, financial data, and spread file-encrypting ransomware such as Conti and Ryuk.
Its modularity and versatility have made it an ideal tool for a diverse set of threat actors despite attempts by cyber vendors to take the infrastructure down. It has also been observed in conjunction with Emotet campaigns to deploy Ryuk ransomware.
"Their most common attack chain largely begins via Emotet malspam campaigns, which then loads TrickBot and/or other loaders, and moves to attack tools like PowerShell Empire or Cobalt Strike to accomplish objectives relative to the victim organization under attack," the researchers said. "Often, at the end of the kill-chain, either Conti or Ryuk ransomware is deployed."
To date, the botnet has infected more than a million computers, according to Microsoft and its partners at Symantec, ESET, FS-ISAC, and Lumen.
From a Reconnaissance Module to an Attack Function
The newest addition to their arsenal suggests that TrickBot can not only be used to target systems en masse with ransomware and UEFI attacks but also provide criminal actors even more leverage during ransom negotiation by leaving a covert UEFI bootkit on the system for later use.
The development is also yet another sign that adversaries are extending their focus beyond the operating system of the device to lower layers to avoid detection and carry out destructive or espionage-focused campaigns.
TrickBot's reconnaissance component, observed for the first time in October 2020 right after the take-down attempts orchestrated by the US Cyber Command and Microsoft, targets Intel-based systems from Skylake through Comet Lake chipsets to probe for vulnerabilities in the UEFI firmware of the infected machines.
Specifically, the researchers found that TrickBoot takes aim at the SPI flash chip that houses the UEFI/BIOS firmware, using an obfuscated copy of RWEverything tool's RwDrv.sys driver to check if the BIOS control register is unlocked and the contents of the BIOS region can be modified.
Although the activity is limited to reconnaissance so far, it wouldn't be a stretch if this capability is extended to write malicious code to the system firmware, thereby ensuring that attacker code executes before the operating system and paving the way for the installation of backdoors, or even the destruction of a targeted device.
What's more, given the size and scope of the TrickBot, an attack of this kind can have severe consequences.
"TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable," the researchers noted. "The national security implications arising from a widespread malware campaign capable of bricking devices is enormous."
With UEFI persistence, "TrickBot operators can disable any OS level security controls they want, which then allows them to re-surface to a modified OS with neutered endpoint protections and carry out objectives with unhurried time on their side."
To mitigate such threats, it's recommended that the firmware is kept up-to-date, BIOS write protections are enabled, and firmware integrity is verified to safeguard against unauthorized modifications